Security and privacy
Learn about Felt's security and privacy.
Last updated
Was this helpful?
Learn about Felt's security and privacy.
Last updated
Was this helpful?
Felt implements comprehensive security measures including encryption, multi-factor authentication, and SOC 2 Type 2 compliance to protect user data. All user content is stored on secure US-based servers with strict access controls for employees.
All Felt web traffic is encrypted via TLS.
All Felt employees are required to use multi-factor authentication to access our internal systems, including our code and customer data.
All Felt data is stored on servers based in the US.
All Felt systems runs on public clouds such as AWS and Google Cloud.
All user credentials are stored with encryption at rest — Felt can never see your password.
All Felt web traffic is protected against DDoS attacks via Cloudflare.
All Felt systems’ uptime are monitored 24/7 around the globe.
Felt supports Single-Sign On via Google.
User provided and verified
Name
User provided
Profile picture
User provided
Password
Encrypted in transit and at rest
All user uploaded data such is stored on US servers.
The full user uploaded data is only accessible to the original uploader and Felt employees.
Felt generates excerpts (100 row samples) and thumbnails of images and those can be seen on maps that have the data visualized in them.
All Felt employees must use multi-factor authentication to access user generated content.
User uploads such as data and images are stored in a format that makes it impossible to guess their addresses.
Felt is hosted on a combination Render and Amazon Web Services (AWS). Felt does not operate its own servers, nor do Felt employees have physical access to Render or AWS datacenters, servers, or storage.
Render is a Platform as a Service provider. Felt uses Render’s services in its Oregon, US datacenter.
Render is independently audited for SOC2 compliant. All sensitive Felt data stored on Render is encrypted at rest.
AWS is the leading cloud provider used by enterprises and governments worldwide. Felt uses AWS’ services in its US datacenters. By using AWS, Felt inherits all the security and compliance features built by AWS and dependent upon the world’s biggest companies, including most of the world’s leading financial institutions.
All Felt employees use designated accounts to access our infrastructure. Employees are not allowed to share access credentials. All access is further protected behind two-factor authentication. All private keys are stored with strong encryption. Access controls are monitored automatically every day and manually quarterly.
Felt employs annual penetration testing by an independent third-party. The third-party engages with the production instances of Felt service and are under contract.
Any findings from the penetration testing are investigated by Felt’s security team and prioritized accordingly. Penetration testing schedule is monitored automatically.
Both Render and AWS are rigorously audited by third-parties. Both Render and AWS boast SOC 2 Type 2 compliance as well as ISO 270001 certification.
Felt undergoes SOC2 compliance audits and have received its SOC2 Type 2 compliance.
Felt aims to make unauthorized intrusion as hard as possible. All Felt compute instances both on AWS and Render run in their own virtual private networks. No Felt compute instance allows SSH access and all compute instances on AWS uses a Serverless infrastructure, meaning all instances are ephemeral and automatically killed when their task is complete or they reach their age-limit, currently set to 24 hours.
Furthermore, Felt uses AWS’s CloudTrail technology to monitor access to its services and Cloudtrail logs are further automatically monitored daily for unauthorized access.
All parts of Sentry service is over-provisioned, meaning all non-transient services like compute instances and databases have a lot of extra capacity in case of a demand spike. Our compute platform on Render is automatically spread across different availability zones and our platform on AWS is automatically horizontally scalable via Amazon’s Serverless stack.
All customer data is uploaded to AWS’ S3 service. Felt uses versioned controlled S3 buckets with 99.99% availability. All data that is stored on Render is backed up daily. Felt also runs annual business continuity recovery exercises and their schedule is monitored automatically.
All Felt data is uploaded to AWS’ S3 service and all Felt buckets are versioned controlled with no public access permissions. In the unlikely case of a disaster, Felt is able to recover the original data from S3 buckets.
The security and the privacy of customer data is paramount to everything Felt.
All customer data uploaded to Felt is encrypted at transit and at rest. Customer data uploads from the browser happen over HTTPS via transport layer security (TLS) encrypted connections and the data is stored on versioned AWS S3 buckets that are server-side encrypted. The settings on these buckets are monitored daily automatically.
Application data that is stored on Render databases are also stored with encryption at rest. Felt never stores your password in cleartext.
All Felt web traffic happens over HTTPS and certificates are managed automatically via Render and Cloudflare. Felt’s HTTPS settings are monitored automatically.
Felt employees might access customer data only for documented reasons and for limited amount of time. All access happens via individual accounts tied to each employee and is logged for potential audits. Felt employees can store data on their systems for technical troubleshooting or customer support only for limited amount of time and only if their systems are end-to-end encrypted. Felt employees’ personal devices used for such access is monitored hourly automatically.
Felt allows users to sign-in via Google in lieu of a password. Signing in via Google allows users to benefit from Google’s world-class authentication safety features such as multi-factor authentication, passkey authentication and federated logins. Many Felt users integrate their federated login systems with Google, allowing them to have a Single Sign-On provider via Google.
Felt allows users to create personal access tokens (PAT) to access Felt resources programmatically via application programming interfaces (API)s. PATs are stored with encryption on Felt databases and are exposed in cleartext only during creation. They are never logged. Users can revoke their PATs any time, or create multiple ones for various use-cases.
Felt uses a strong domain-based message authentication, reporting, and conformance (DMARC) setup for its email. This makes spoofing (pretending to be Felt) or phishing scams much harder to employ. Felt’s DMARC settings are monitored automatically daily. For all domain name service setups, including DMARC, Felt uses AWS’ Route 53 service, inheriting the security and audit capabilities of AWS services.
Felt uses a continuous delivery methodology to deliver its software, meaning every single code change is delivered quickly to production. This allows quick resolution of customer issues, including security patches.
Felt uses a continuous integration methodology to develop its software, meaning all code is continuously tested at each step of the progress. These tests include static analysis of our code against vulnerabilities, introduction of unexpected dependencies against supply-chain attacks, as well as unit and integration tests against bugs that might impact users and their security.
All Felt code is version controlled. Code changes must be requested via cryptographically verified methods and all code change must be approved by another person before it can be delivered to production via the CI/CD pipeline.
All Felt provided computers are registered to our Mobile Device Management (MDM) software. This MDM ensures that the workstations has correctly configured password managers, automatic updates, antivirus software, full disk encryption, and screensaver lock. These settings are checked for every single employee’s workstation every day.
Felt runs regular business continuity and disaster recovery tabletop scenarios to plan for unforeseen events. These events include but are not limited to loss of key personnel, degradation of key infrastructure, and operational force majeur events. The remediations for these possible events are discussed annually.
Felt maintains a wide array of policies regarding security. These policies are reviewed and updated annually where necessary.
Acceptable Use Policy
Asset Management Policy
Backup Policy
Business Continuity Plan
Code of Conduct
Controls Assessment Program
Data classification Policy
Data Classification, Handling, and Retention
Data Protection Policy
Disaster Recovery Plan
Encryption Policy
Incident Management Policy
Incident Response Plan
Information Security Policy
Password Policy
Physical Security Policy
Responsible Disclosure Policy
Risk Assessment Policy
Software Development Lifecycle Policy
System Access Control Policy
Vendor Management Policy
Vulnerability Management Policy
Felt runs a background check for all new hires globally. This check contains information such as:
Enhanced Identity Verification
US Criminal Record Check
National Sex Offender Registry Scan
Security Watchlist Scan
Fraud Scan
OFAC Global Sanctions Scan
Criminal Record Scan
Federal Record Scan
Single State County Record Scan
All State County Record Scan
All Felt employees are required to go through annual security training, as well as be presented with the policies. Acceptance of these policies and completion of security training is monitored automatically before employees can access any internal systems that include customer data.
Felt has received the following compliances:
SOC 2 Type 2
For further information, please reach out to privacy@felt.com
Felt aims to notify customers of any data breaches as soon as possible via email and has documented policies. Known incidents are reported on our Twitter feed () where users can see updates.
Security researchers are encouraged to reach out to Felt’s security team at via a working proof of concept. Felt does not have a bounty bug program, and encourage researches to responsibly disclose issues.
Interested parties can reach out to to request a copy of our SOC 2 Type 2 report.
Felt works with many educational institutions with their unique needs such as Family Educational Rights and Privacy Act (FERPA) and Childen’s Online Privacy Protection Rule (COPPA) requirements. Felt maintains a robust Data Protection Addendum (DPA). Interested parties can reach out to to request our DPA.
